[codex] Fix v0.5 release gate polish

[Fieldnote-Echo]

Summary

• harden tests/release_signed_release_invariants.sh against printf | grep -q SIGPIPE false failures under pipefail
• clarify the v0.5 .ovfs / RankQuantFastscan contract across README, persisted-format, provenance, compatibility, and changelog docs
• caveat BEIR benchmark claims around sign-rq2-threaded, HNSW graph side storage, and raise the dev-only requests floor to >=2.33.0
• prep repository metadata for the completed Project-Navi/ordvec transfer across Cargo, PyPI, docs, badges, release checks, Go module path, issue templates, and release docs

Registry / UI Status

The GitHub transfer is complete, and the registry-side trusted-publisher records have been updated in the crates.io and PyPI settings UI to use Project-Navi/ordvec:

• crates.io ordvec: owner Project-Navi, repository ordvec, workflow release.yml, environment crates-io
• crates.io ordvec-manifest: owner Project-Navi, repository ordvec, workflow release.yml, environment crates-io
• PyPI ordvec: owner Project-Navi, repository ordvec, workflow release.yml, environment pypi
• PyPI ordvec-manifest: owner Project-Navi, repository ordvec, workflow release.yml, environment pypi

The GitHub environment audit default repo is now Project-Navi/ordvec; keep the human required reviewer as Fieldnote-Echo unless the environment reviewer itself is intentionally moved to a team/user.

Why

Main ci.yml failed the release-publish invariants job even though the release workflow grants id-token: write. The failure matches the quiet-grep broken-pipe pattern, so this removes the fragile producer pipelines from the structural release lint.

The release docs also mixed a stable public FastScan type with a .ovfs persistence format that is not yet covered by probe_index_metadata() or ordvec-manifest v1. This PR keeps .ovfs direct load/write support but makes the manifest/probe boundary explicit for v0.5.

The metadata sweep moves the public ordvec repository coordinates to Project-Navi/ordvec while preserving still-valid Fieldnote-Echo references for the human maintainer/reviewer and the separate ordvec-formalization companion repo.

Validation

• bash -n tests/release_signed_release_invariants.sh && bash tests/release_signed_release_invariants.sh && bash tests/release_publish_invariants.sh
• python3 tests/release_publish_invariants.py
• python3 -m py_compile benchmarks/beir/beir_plot.py
• cargo fmt --check
• cargo check --manifest-path benchmarks/beir-bench/Cargo.toml --locked
• cargo test --locked
• cargo test -p ordvec-manifest --locked
• cargo build -p ordvec-ffi --release --locked && (cd ordvec-go && go test ./...)
• bash tests/release_environment_settings.sh
• python3 -m pip index versions requests confirmed 2.33.0 is available
• negative-path probe: temp release workflow with missing crates.io OIDC step now emits the expected ::error::signed-release invariant violated: publish-crate must contain an OIDC credential mint step
• git diff --check
• stale-string sweeps for old requests>=2.32.4, old HNSW labels, stale Fieldnote-Echo/ordvec repo-owner refs, and accidental Project-Navi/ordvec-formalization rewrites

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[qodo-code-review]

PR Summary by Qodo

Fix v0.5 release gates and clarify FastScan/BEIR docs
🐞 Bug fix 📝 Documentation ⚙️ Configuration changes 🕐 20-40 Minutes

Description

• Harden signed-release invariants to avoid pipefail SIGPIPE false negatives.
• Clarify .ovfs / RankQuantFastscan support boundaries vs probe/manifest v1.
• Refine BEIR/HNSW benchmark labeling and raise benchmark requests floor to 2.33.0.

Diagram

graph TD
  GA["GitHub Actions release"] --> INV["signed-release invariants"] --> WF[".github/workflows/release.yml"]
  DOCS[/"Docs & changelog"/] --> OVFS[".ovfs boundary"]
  BENCH[/"BEIR benchmark"/] --> HNSW["HNSW ' + graph' labels"] --> PLOT["beir_plot.py"]
  BENCH --> REQ["requirements.txt (requests>=2.33.0)"]
  subgraph Legend
    direction LR
    _wf["Workflow/job"] ~~~ _sh["Shell check"] ~~~ _doc[/"Documentation"/] ~~~ _cfg["Config/deps"]
  end

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Parse workflow YAML structurally (yq/Python)

• ➕ Avoids regex brittleness against YAML formatting changes
• ➕ Eliminates grep/pipefail edge cases entirely
• ➕ Can validate schema-like properties more explicitly
• ➖ Adds a tooling dependency (yq) or a Python runtime requirement for the gate
• ➖ More code/complexity than the current lightweight shell approach

2. Move invariants to a small Rust/Python checker binary

• ➕ Stronger parsing + easier unit testing of invariants
• ➕ Cleaner error reporting and extensibility
• ➖ Increases build/runtime cost for a gate that currently runs in pure shell
• ➖ Requires packaging/distribution decisions for the checker

Recommendation: Current approach (keeping it as shell but removing fragile producer pipelines) is a good tradeoff for a release gate: minimal dependencies, fast execution, and it fixes a real failure mode under pipefail. If YAML-format drift becomes a recurring issue, a structural parser (yq/Python) would be the next step.

Files changed (11) +154 / -81

Bug fix (2) +62 / -50

beir_plot.pyFix plot legend to label HNSW as “4096 B + graph” +1/-1

Fix plot legend to label HNSW as “4096 B + graph”

• Adjusts the HNSW display label in plot styling to reflect that the graph side structure is not included in the 4096-byte payload accounting.

benchmarks/beir/beir_plot.py

release_signed_release_invariants.shRemove fragile 'printf | grep -q' pipelines under 'pipefail' +61/-49

Remove fragile 'printf | grep -q' pipelines under 'pipefail'

• Introduces helper functions to run 'grep -q' via here-strings, avoiding SIGPIPE failures from short-circuiting consumers when 'pipefail' is enabled. Refactors multiple invariants checks to use these helpers and makes 'job_line' extraction resilient to missing matches.

tests/release_signed_release_invariants.sh

Documentation (7) +87 / -29

CHANGELOG.mdDocument requests floor bump and clarify '.ovfs'/benchmark claims +10/-3

Document requests floor bump and clarify '.ovfs'/benchmark claims

• Updates the security tooling note to raise the 'requests' lower bound to 2.33.0. Clarifies that '.ovfs' support exists via direct FastScan load/write, but probe/manifest support is deferred, and adds caveats about BEIR figures (method set and HNSW graph side storage).

CHANGELOG.md

README.mdClarify BEIR claims, '.ovfs' trust boundary, and HNSW storage labels +32/-18

Clarify BEIR claims, '.ovfs' trust boundary, and HNSW storage labels

• Refines headline benchmark prose to scope claims to the committed default-method run. Makes '.ovfs' a direct API persistence path and explicitly outside 'probe_index_metadata()'/manifest v1 in v0.5.0, with trust-boundary guidance. Updates benchmark tables and narrative to label HNSW storage as “4096 + graph” and caveats 'sign-rq2-threaded' usage for release claims.

README.md

main.rsClarify HNSW size reporting as vector-only bytes +3/-2

Clarify HNSW size reporting as vector-only bytes

• Updates comments to state that the numeric bytes-per-vector field reports only stored float-vector bytes, while docs label it as “4096 B + graph” to avoid implying the graph is free.

benchmarks/beir-bench/src/main.rs

README.mdAdd HNSW “+ graph” and scope committed figures +5/-1

Add HNSW “+ graph” and scope committed figures

• Updates the method table to label HNSW as “4096 + graph” and explains the graph is implementation-owned side storage. Adds a note that committed figures use the default method set and do not include 'sign-rq2-threaded' yet.

benchmarks/beir/README.md

INDEX_PROVENANCE.mdMake '.ovfs' explicitly outside manifest/probe v1 in v0.5.0 +11/-3

Make '.ovfs' explicitly outside manifest/probe v1 in v0.5.0

• Reframes the doc to describe the manifest/probe-covered primitive formats separately from FastScan. Adds explicit guidance that '.ovfs' is direct-load only in v0.5.0 and should be bound by caller-owned integrity/attestation when crossing trust boundaries.

docs/INDEX_PROVENANCE.md

PERSISTED_FORMAT.mdDefine '.ovfs' as direct-load-only outside v1 primitive contract +17/-1

Define '.ovfs' as direct-load-only outside v1 primitive contract

• Adds a prominent note that '.ovfs' exists via 'RankQuantFastscan' direct API but is intentionally outside the v1 primitive persisted-format and probe/manifest contract. Documents that 'probe_index_metadata()' rejects OVFS in v0.5.0 and reiterates the probe-vs-load boundary for FastScan.

docs/PERSISTED_FORMAT.md

compatibility-policy.mdClarify compatibility scope for '.ovfs' direct persistence +9/-1

Clarify compatibility scope for '.ovfs' direct persistence

• States that 'RankQuantFastscan::{write,load}' is supported, but '.ovfs' is not included in the v0.5.0 persisted-format/probe/manifest v1 contract and requires an explicit future compatibility review to promote.

docs/compatibility-policy.md

Other (2) +5 / -2

MakefileAnnotate benchmark method set and HNSW byte accounting caveat +4/-1

Annotate benchmark method set and HNSW byte accounting caveat

• Updates the benchmark method comments to label HNSW as “4096 B/vec + graph”. Adds a note that committed README figures intentionally omit the newer 'sign-rq2-threaded' probe row until artifacts are regenerated.

Makefile

requirements.txtRaise benchmark 'requests' minimum to 2.33.0 +1/-1

Raise benchmark 'requests' minimum to 2.33.0

• Bumps the lower bound for 'requests' from 2.32.4 to 2.33.0 to align with current security advisory guidance for the benchmark tooling environment.

benchmarks/beir/requirements.txt

[gemini-code-assist]

Code Review

This pull request primarily updates documentation, changelogs, and benchmarks to clarify that .ovfs (FastScan) artifacts are not yet covered by the probe_index_metadata or ordvec-manifest v1 contracts in v0.5.0, and clarifies that HNSW memory footprints include implementation-owned graph side storage. It also bumps the requests dependency in the BEIR benchmark to >=2.33.0 and refactors tests/release_signed_release_invariants.sh to use helper functions instead of raw pipelines. A critical issue was identified in the refactored job_line function in tests/release_signed_release_invariants.sh, where an empty match causes the function to return a non-zero exit status, triggering an immediate script termination under set -e and bypassing the intended error handling.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX issues (0) 🔗 Cross-repo conflicts (0) 📜 Skill insights (0)

1. set -e bypasses fail ✓ Resolved 🐞 Bug ◔ Observability

Description

job_line can still return a non-zero status when a pattern is missing, and require_job_line
captures it via command substitution under set -euo pipefail, which can terminate the script
before the intended fail ... message runs. This turns an invariant violation into a
hard-to-diagnose generic exit (losing the ::error::... annotation).

Code

tests/release_signed_release_invariants.sh[R80-87]

job_line() {
-  local jobname="$1" pattern="$2"
-  job_body "$jobname" | grep -nE "$pattern" | head -1 | cut -d: -f1
+  local jobname="$1" pattern="$2" body line
+  body="$(job_body "$jobname")"
+  line="$(grep -nE -m 1 -- "$pattern" <<<"$body" || true)"
+  [ -n "$line" ] && printf '%s\n' "${line%%:*}"
}

require_job_line() {

Relevance

⭐⭐⭐ High

Team previously accepted adding || true around grep under set -e to avoid premature exits (same
pattern).

PR-#50
PR-#173

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The script enables set -euo pipefail, and job_line returns non-zero on a non-match;
require_job_line uses command substitution assignment, which can cause an immediate exit before
fail is invoked.

tests/release_signed_release_invariants.sh[45-92]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`job_line()` ends with `[ -n "$line" ] && ...`, which returns exit status 1 when no match is found. Because `require_job_line()` assigns with `line="$(job_line ...)"` under `set -e`, the script may exit immediately before emitting the explicit `fail` message.

### Issue Context
This script is intended to produce actionable `::error::...` messages when invariants break; premature exits lose that context.

### Fix Focus Areas
- tests/release_signed_release_invariants.sh[80-92]

### Suggested fix
- Ensure `job_line` returns 0 regardless of match outcome (e.g., add `return 0` at the end, or rewrite with an explicit `if ...; then ...; fi; return 0`).
- Alternatively/additionally, make `require_job_line` tolerant: `line="$(job_line ... || true)"` so missing matches can be handled by the subsequent `[ -n "$line" ] || fail ...` check.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Literal helper uses regex ✓ Resolved 🐞 Bug ⚙ Maintainability

Description

contains_literal uses grep -q without -F, so the “needle” is interpreted as a regular
expression rather than a fixed string. If a future call passes regex metacharacters, the invariant
can match unintended text and silently weaken the gate.

Code

tests/release_signed_release_invariants.sh[R56-59]

+contains_literal() {
+  local text="$1" needle="$2"
+  grep -q -- "$needle" <<<"$text"
+}

Relevance

⭐⭐ Medium

No prior review evidence requiring grep -F for “literal” helpers; scripts commonly use regex grep
patterns.

PR-#173
PR-#50

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The helper is defined as grep -q -- "$needle", and grep defaults to regex matching unless -F
is provided.

tests/release_signed_release_invariants.sh[51-59]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`contains_literal()` claims to check for a literal substring, but it uses `grep -q` (regex mode). This can misbehave if the needle contains regex metacharacters.

### Issue Context
Today it’s only used with `--no-verify` (safe), but the helper is generic and likely to be reused.

### Fix Focus Areas
- tests/release_signed_release_invariants.sh[56-59]

### Suggested fix
- Change the implementation to fixed-string matching: `grep -Fq -- "$needle" <<<"$text"`.
- If regex semantics are desired, rename the function to reflect that (e.g., `contains_regex`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!